What Is .HTACCESS?

November 28, 2006 / General Discussion

.Htaccess is a small text file that controls the configuration aspects of an Apache webserver. Most people are familiar with the .htaccess file in relation to the ability to restrict access to a directory via password protection. However, .htaccess can do a lot more than password protection.

.Htaccess is an extremely powerful configuration tool that can customize the way your website behaves and how your web server handles requests. You can create as many .htaccess files as you wish for your website. you can have one in every directory if you like.

However, .htaccess control the directory it is placed in, as well as all the directories in the directory. Where the .htaccess file resides. For that reason, many people just bother with one .htaccess file, and that would be the .htaccess file located in the root directory.

Of course, if you password protecting a directory, you would want to place a .htaccess file in the directory you’d password protected, assuming that it wasn’t your root directory.

Code:
.HTACCESS AUTHENTICATION TUTORIAL

Sometimes it is necessary to have a directory of your website off-limits to the general public. Perhaps you have an area that is members only, or maybe you have an administrative area that you don’t want others messing with.

Using the .htaccess file in tandem with the .htpasswd file, you can restrict access to that area of your site. If a visitor tries to access that particular area, they prompted for a username and password, and will not allowed access until they can provide the proper username/password combination.

To set up password protection on one of your directories you will need to be able to telnet into your web server. Although telnet access isn’t required and there are workarounds, this tutorial only covers password protection setup via the telnet method.

Below is an example of a simple .htaccess file:

Code:
AuthUserFile /path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName “Restricted Stuff”
AuthType “Basic”

require valid-user

The .htaccess file affects any directory it is placed in and overrides the pre-configured server settings. Additionally, the .htaccess file affects folders recursively.

For example, if you password protect a folder on your website located at http://www.website.com/restricted/ by placing this .htaccess in your restricted

directory, not only the folder restricted password protected but so will all the files and folders within the restricted directory.

Back to the .htaccess file. The first line, beginning with AuthUserFile tells the webserver where it should look to find the username/password file. You will need to change the /path/to/… to reflect the path to your password file.

Keep the file name as .htpasswd. The next line down, AuthGroupFile, is similar to the AuthUserFile, but instead of being a list of username/passwords, the AuthGroupFile outlines specific groups that have access to this directory. We’ll talk more about restricting group access in a later tutorial.

For now, by setting the AuthGroupFile to /dev/null the server interprets that there are no groups restricted.

The next line, AuthName is customizable and can be set to display a message or describe the area that someone is logging into.

As you can see from the password dialog box above taken from IE5, anything that is included on the AuthName line will appear in the Realm line. The require valid-user line in the .htaccess can be left as is.
Now it’s time to create the .htpasswd file.

The .htpasswd file is a list of all the usernames/passwords that have access to the restricted directory. You will need to telnet into your web server and change into the directory where you told the AuthUserFile line of the .htacess file where the .htpasswd file could be found.

To create and new .htpasswd file type at the command prompt, being sure to change johndoe to be the username of the account you want to add to the .htpasswd file:

Code:
htpasswd -c .htpasswd johndoe

You will be prompted for a new password to assign to johndoe, once you enter it in, you will be prompted to verify it again. If you need to add additional usernames/passwords, you can enter in the same command above, without the -c switch.

The -c switch is used only to create a new .htpasswd file. For example, to add janedoe to your .htpasswd file you would type in and then follow the prompts for entering in the password:

Code:
htpasswd .htpasswd janedoe

Passwords encrypted in the .htpasswd file. A standard .htpasswd file will look something like this:

Code:
johndoe:rngxrrnRhGdFo
janedoe:3lmIn9MHfWkKc

This tutorial outlines a simple method to restrict individual users from accessing certain areas of your website. Coming soon we’ll discuss some more advanced methods of using .htaccess/.htpasswd to restrict access from certain IP addresses and certain groups.

.HTACCESS REDIRECTION TUTORIAL

Sometimes it is necessary to redirect a user from one page to another. Perhaps a search engine lists a page that is no longer available on your website.

Instead of having a person click on that link from the search engine and greeted by a 404 File Not Found Error from your site. You can redirect them to any page on your site, simply by adding a few lines to your .htaccess file:

Code:
Redirect /main.html http://www.website.com/index.html

This small line in the .htaccess file will redirect any requests for www.website.com/main.html to www.website.com/index.html. You can fill in the pages and URLs for any pages you like, and as long as you keep it in the format above, it should work just fine. You can even redirect several pages to the same page.

.HTACCESS AND CUSTOMIZED ERROR MESSAGES

About 90% of the time, web servers generate boring error messages when they cannot find a page or encounters some other server error. You might have a nice color-coordinated website, but let’s face it, black text on a white background is a little passé.

Wouldn’t it be nice to create customized error messages that match the rest of the layout of your website?

Well, it’s really quite simple. There are five major error messages that visitors to your site could potentially encounter.

Code:

ERROR NUMBER ERROR DESCRIPTION
400 Bad Request
401 Authorization Required
403 Forbidden Document
404 File Not Found
500 Internal Server Error

The first thing you’ll need to do is design an HTML page describing each error number above. You can copy the descriptions from actual server-generated error pages. Or you can put a fresh spin and design your own from the ground up.

It might be a good idea to put some links in your error messages to guide your wary visitors to a safe place, perhaps a link to your main page or a search page for your site’s content. An e-mail address might also be nice so a visitor can inform you of the error they encountered.

Okay, so now that you’ve gotten your HTML pages all made, you are going to need to place them in a folder on your web server. Let’s say that you’ve made a folder called “errors” and have placed all five of your customized error messages in there. Now we need to edit the .htaccess file and add these lines below:

Code:

ErrorDocument 400 /errors/400.html
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html

You will need to change the directory and the names of the HTML documents to reflect where your error messages are and what names you’ve given them.

In the above example, if the server encounters a request for a page that no longer exists. It will look to your .htaccess file and see that for a 404 error is should display the page 404.html located in the “errors” directory.

Remember, that the .htaccess file only affects the directory that it’s located in and all those directories that are recursively located beneath it. So if you want .htaccess to generate customized error messages for your whole site. You best place the ErrorDocument lines in the .htaccess in your root directory.

PREVENTING ACCESS TO .HTACCESS FILES

Your .htaccess files typically reside in your root directory. Since it’s almost guaranteed that there will .htaccess in your root directory practically anyone access and view it through their web browser using the appropriate URL address.

Most of the time their information contained in the .htaccess file that you don’t want people to know, like the location of .htpasswd files (password files), or rules for allowing or denying access.

One way to prevent your visitor from viewing your .htaccess file is to disable access to that particular filename. You can add the following lines to your .htaccess file in the root directory to deny visitors from viewing all .htaccess files contained in your website:
Code:

order allow, deny
deny from all

OPTIONS EXEC

Getting scripts to work properly on your server can be a difficult job. There are so many variables that can cause a script to go awry. Sometimes all it takes is the addition of a few lines to your .htaccess file to get a stubborn script working.

If you have access to the error logs on your server and you see a line resembling “Options ExecCGI is off on this directory”.  You need to add the following lines to your .htaccess that is located in the same folder as the script you are trying to execute:

Code:
Options ExecCGI

In many versions of Apache, Perl scripts need permission to run in a directory. Especially if you have any .cgi or .pl files located in directories other than the CGI-bin directory.

By adding the line above to the .htaccess in the folder. Where the script is located you give the webserver permission to execute files within that directory.

RESTRICTING ACCESS TO A DIRECTORY (specific hosts/IPs)

Here, we will simply explain how you can tweak it a bit to deny a certain IP from accessing a particular directory in your server. Create your .htaccess file like so:

Code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AllowLocalAccess
AuthType Basic

order deny, allow
deny from 0.0.0.0
allow from all

In this example, you may replace the 0.0.0.0 with the IP number you wish to block off. Doing so will deny any visitor who uses that IP number. You can also replace the 0.0.0.0 with a hostname like maybe “icthus.net” (although in reality, you don’t want to block off this magnificent domain).

Doing this will prevent any visits originating from the icthus.net domain. Which we again emphasize, is something nobody would want to do Up until this point.

you were probably thinking “Why would someone want to block off people’s IP numbers and prevent these people from visiting their website?”, right? Well,

A typical situation could because Joe visited Bob’s site in the past and posted some nasty comments on Bob’s message board prompting Bob to block out Joe so Bob’s other visitors are not offended.

It could also because John visited Tom’s site and copied Tom’s contents and is occasionally copying every new content that Tom adds to his site.

It could also be because Jane has not yet returned Lisa’s favorite X-Files paperback and Lisa is preventing Jane from visiting her X-Files Fan Site. The reason could range from the shallow to the absurd. But whatever the reason,